Toledo Chamber Blog

The clock is ticking. The deadline is just around the corner. Do you know if your company will be required to comply with the European Union’s new General Data Protection Regulation (“GDPR”)?

Ask yourself:

Do we offer goods and services to people in the European Union (“EU”)?

Do we have third parties which store or send data to the EU?

Do we collect or analyze any data of EU residents?

Do we have any EU citizens as part of our workforce?

If you answered yes to any of these questions, congratulations! You now have one year to figure out how to comply with the new regulation and avoid significant penalties. The good news is there is still time to develop and execute an effective strategy for compliance, but it is going to take some work and most likely outside counsel from data privacy consultants and attorneys.

The new data protection law was adopted by the EU in April 2016 and is intended to bolster data protections for EU residents. The GDPR replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy. Companies, government agencies and non-profits interacting with EU residents have until May 2018 to comply.

The GDPR defines scope as:

Organizations who offer goods or services to individuals in the EU (even if they are based outside of the EU)

Non-EU based organizations conducting monitoring activities in the EU which entail the processing of personal information

How does GDPR define what constitutes personal data? Any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. This will pose a significant challenge to organizations to identify and control personal data.

Some of the key privacy and data protection requirements of the GDPR include:

Basically, the GDPR mandates a baseline set of standards for companies that handle EU citizens’ data to better safeguard the processing and movement of personal data.

What is the cost of non-compliance? How about maximum fine of 4% of your total revenue or €20 million Euros (about $21.9 million dollars), whichever is higher. Companies can be fined if their outsourced data host or processor is breached, meaning your circle of control must extend outside your corporate walls.

While GDPR represents an important step forward for individual privacy rights, it will require vast changes and potentially significant investments by organizations around the world to comply. The good news is that existing privacy methodologies can be leveraged to assess potential gaps and provide guidance to the organization. The time is now to develop your plan of attack, dig deep into your data to better understand your potential exposure, and begin your journey towards compliance.

So where do you start?

Start planning – if the processes hasn’t already been started, then get moving. The significance of this regulation warrants a dedicated resource to oversee the adaptation of business processes in response to it. Your first step should be to put together a team to develop and execute the strategy

Review data management processes – the team should give consideration to the information your company currently holds. They should review existing supplier contracts and conduct an assessment of what personal data the company currently stores, how it is being used, to whom it is being disclosed and where it is being transferred. A full and comprehensive understanding of your current data privacy position will make life easier further down the line

Put data breach reaction procedures in place – for a company that does not have existing procedures for notification of data breaches to the data protection authority, the creation of a protocol will be critical. In the event of a breach, timing, accuracy and transparency are key and failure to respond appropriately could have significant consequences.

Gilmore Jasion Mahler, LTD (“GJM”) has recently launched a GDPR networking series bringing together companies in our market that are working towards their compliance goals. This series is an important step in facilitating knowledge sharing and real life examples of how companies are attacking this issue. If your company is interested in participating, please contact us at (419) 794-2000.

Matt Hoverman is a Director with Gilmore Jasion Mahler, LTD and leads the Firm’s IT consulting practice. He has spent his career helping businesses assess their IT risk level and creating a plan to maximize their technology investments.